Apple iOS Security Flaw Prompts Patch Advice

On Friday, Apple announced a significant security flaw affecting literally hundreds of millions of iPhones, iPads and iPod Touches running iOS 7, the latest version of the company’s mobile operating system.

Baked into the system was a flaw that allowed an attacker, under certain circumstances, to intercept and read in plain sight traffic the users thought was encrypted via Secure Socket Layer technologies. That would include email, tweets, Web browsing and, potentially, mobile banking sessions that occur within the Web browser.

Mark Bower, a vice president at Voltage Security, elaborated: “For quite some time, attackers with knowledge of this bug had the ability to mount man-in-the middle attacks to users operating Apple devices. This could have allowed interception or modification of SSL communications which are supposed to be private and encrypted.”

Experts appear divided as to whether this flaw also impacted traffic via apps, such as mobile banking apps.

On Friday, Apple issued a patch that it said fixed the problem on iPad, iPhone and iPod Touch.

However, the company also indicated that a related flaw exists in its OS 10 operating system for desktop and laptop computers. No patch has been issued so far, although Apple has indicated that one is imminent.

Note, too, the SSL attack can occur only when the hacker has control over a WiFi network (typically a public network) or has erected a rogue cellular network (technically doable but sophisticated and rare). This requires significant skill on the part of the attacker, said experts.

Users who never access public WiFi probably have nothing to fear, said most experts.